b'U.S. Department of Agriculture\n Office of Inspector General\n Financial and IT Operations\n         Audit Report\n\n\n\n  INFORMATION SECURITY AT THE\nNATIONAL AGRICULTURAL STATISTICS\n            SERVICE\n\n\n\n\n               Report No.\n               26099-2-FM\n               March 2002\n\x0c                 UNITED STATES DEPARTMENT OF AGRICULTURE\n                                OFFICE OF INSPECTOR GENERAL\n\n                                    Washington D.C. 20250\n\n\n\n\nDATE:        March 25, 2002\n\nREPLY TO\nATTN OF:     26099-2-FM\n\nSUBJECT:     Information Security at the National Agricultural Statistics Service\n\nTO:          R. Ronald Bosecker\n             Administrator\n             National Agricultural Statistics Service\n\n\nThis report presents the results of our audit of Information Security at the National\nAgricultural Statistics Service (NASS). You requested that we conduct this review to\nascertain whether security breaches, alleged in paper e-mail messages brought to your\nattention in November 2001, actually existed. Nothing came to our attention during our\nreview that indicated that the alleged security breaches had occurred or NASS data had\nbeen misused. While we did identify material weaknesses in the NASS network,\nnothing came to our attention during our review that indicated that NASS or its\nemployees used those weaknesses for personal gain. NASS has corrected a\nsubstantial number of the problems found, and has aggressively implemented plans to\ncorrect the remaining areas of concern.\n\nYour response to our draft report is included in Exhibit A, with excerpts incorporated in\nthe findings and recommendations section of the report. Based on the information\nprovided in the response, we have accepted management decisions on all\nrecommendations. Please follow your internal procedures in forwarding documentation\nof final action to the Office of the Chief Financial Officer.\n\nWe appreciate the courtesies and cooperation extended to us during this audit.\n\n\n\n\nRICHARD D. LONG\nAssistant Inspector General\n for Audit\n\x0c                       EXECUTIVE SUMMARY\n\n                     INFORMATION SECURITY AT THE\n               NATIONAL AGRICULTURAL STASTICS SERVICE\n\n                        AUDIT REPORT NO. 26099-2-FM\n\n\n                                    We initiated our review at the request of the\n     RESULTS IN BRIEF               National Agricultural Statistics Service (NASS)\n                                    management to verify whether (1) its\n                                    employees had used its electronic mail (e-\n         mail) system to prepare and send three sets of e-mails, which contained\n         racially derogatory language and alleged security breaches within NASS\xe2\x80\x99\n         network; and (2) security breaches alleged in those e-mails actually\n         occurred.     The e-mails were brought to the attention of NASS\n         management after two current NASS employees said they received them\n         in hard copy through the U.S. Postal Service. NASS management\n         immediately requested that we conduct a review to determine whether the\n         e-mails and the security breaches alleged in those e-mails were\n         legitimate. We conducted our review in January and February 2002.\n         Nothing came to our attention during our review that indicated that the e-\n         mails had been initiated using the NASS e-mail system, and that the\n         security breaches alleged in those e-mails had occurred, or that any\n         NASS data had been misused. Further, while we did identify material\n         weaknesses in the administration of NASS\xe2\x80\x99 network as discussed below,\n         nothing came to our attention during our review that indicated that NASS\n         or its employees used those weaknesses for personal gain.\n\n           Our vulnerability scans of selected NASS network devices disclosed\n           vulnerabilities that could be exploited from within NASS\xe2\x80\x99 network, and\n           some that can be exploited externally. NASS had taken action on our\n           prior audit recommendation by acquiring one of the vulnerability\n           assessment tools that we used during our audit; however, NASS just\n           began to use the tool and had not fully implemented the use of the tool in\n           its efforts to identify and eliminate security vulnerabilities within its\n           network.\n\n           We found that NASS needs to strengthen its firewall administration and\n           increase security over remote access to its network resources. Due to\n           other priorities placed on its security staff, NASS does not have controls in\n           place to keep its firewall configuration current by periodically reviewing\n           and modifying its firewall rules, and has not ensured that the firewall\n\nUSDA/OIG-A/26099-2-FM                                                            Page i\n\x0c          administrator receives proper training in its configuration. In addition,\n          NASS\xe2\x80\x99 current remote access policy reduces the effectiveness of its\n          firewall by allowing users unauthenticated access through it.\n\n          We also found that NASS did not ensure that only authorized users had\n          access to its network. NASS had not implemented adequate written\n          procedures to ensure that it timely removed user accounts for those\n          persons that left NASS employment, and had accepted the risk of using\n          generic user accounts on its network. As a result, persons no longer\n          employed at NASS or anyone with knowledge of the generic user\n          accounts could inappropriately access and potentially destroy critical\n          NASS data.\n\n          Finally, NASS needs to report the material internal control weaknesses we\n          have identified in its Federal Manager\xe2\x80\x99s Financial Integrity Act (FMFIA)\n          report. It also needs to establish goals and performance measures in its\n          Government Performance and Results Act (GPRA) report that relate to\n          securing its information technology resources and data.\n\n                                       We recommended that NASS:\n  KEY RECOMMENDATIONS\n\n          \xe2\x80\xa2   Ensure corrective actions are taken on all high and medium-risk\n              vulnerabilities identified on the assessment reports provided to NASS\n              officials.\n\n          \xe2\x80\xa2   Develop and implement a policy to periodically review the firewall\n              configuration and remove or modify firewall rules as necessary.\n\n          \xe2\x80\xa2   Implement a virtual private network solution with smart card or token\n              authentication and strong encryption for remote access to the internal\n              NASS network.\n\n          \xe2\x80\xa2   Ensure that NASS\xe2\x80\x99 security staff is properly trained to configure and\n              maintain the firewall rule base to ensure the appropriateness of firewall\n              rules.\n\n          \xe2\x80\xa2   Establish and implement procedures to periodically reconcile user\n              accounts on the NASS networks to current employee listings, and take\n              immediate action to remove those accounts no longer needed.\n\n          \xe2\x80\xa2   Discontinue the use of all generic user accounts on the NASS network.\n              Establish accounts on an as-needed basis and assign individual\n              responsibility to those accounts.\n\n\nUSDA/OIG-A/26099-2-FM                                                          Page ii\n\x0c          \xe2\x80\xa2   Report the material control weaknesses identified in this report,\n              including the noncompliance with Office of Management and Budget\n              Circular A-130 and Presidential Decision Directive 63 in its FMFIA\n              report.\n\n          \xe2\x80\xa2   Establish performance goals and measures relating to information\n              technology security in its GPRA report.\n\n                                    NASS agreed with our recommendations and\n    AGENCY RESPONSE                 has initiated significant corrective actions.\n\n\n\n                                    We concurred with NASS\xe2\x80\x99 proposed corrective\n        OIG POSITION                actions.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                    Page iii\n\x0c                                      TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY ................................................................................................i\n   RESULTS IN BRIEF....................................................................................................i\n   KEY RECOMMENDATIONS ......................................................................................ii\n   AGENCY RESPONSE ..............................................................................................iii\n   OIG POSITION..........................................................................................................iii\nTABLE OF CONTENTS................................................................................................iv\nINTRODUCTION............................................................................................................1\n   BACKGROUND .........................................................................................................1\n   OBJECTIVES .............................................................................................................2\n   SCOPE .......................................................................................................................3\n   METHODOLOGY .......................................................................................................3\nFINDINGS AND RECOMMENDATIONS .......................................................................5\n   CHAPTER 1 ...............................................................................................................5\n   MISUSE OF NASS IT RESOURCES COULD NOT BE SUBSTANTIATED ..............5\n   FINDING NO. 1 ..........................................................................................................5\n   CHAPTER 2 ...............................................................................................................7\n   VULNERABILITIES COULD EXPOSE NASS SYSTEMS TO THE RISK OF\n   MALICIOUS ATTACKS FROM INTERNAL AND EXTERNAL THREATS ................7\n   FINDING NO. 2 ..........................................................................................................7\n   RECOMMENDATION NO. 1 ....................................................................................10\n   RECOMMENDATION NO. 2 ....................................................................................10\n   RECOMMENDATION NO. 3 ....................................................................................11\n   RECOMMENDATION NO. 4 ....................................................................................11\n   CHAPTER 3 .............................................................................................................12\n   NASS NEEDS TO STRENGTHEN ADMINISTRATION OF ITS FIREWALL AND\n   IMPROVE REMOTE ACCESS PROCEDURES.......................................................12\n   FINDING NO. 3 ........................................................................................................12\n   RECOMMENDATION NO. 5 ....................................................................................14\n   RECOMMENDATION NO. 6 ....................................................................................14\n\nUSDA/OIG-A/26099-2-FM                                                                                                  Page iv\n\x0c   RECOMMENDATION NO. 7 ....................................................................................15\n   CHAPTER 4 .............................................................................................................16\n   NASS NEEDS TO STRENGTHEN ITS LOGICAL ACCESS CONTROLS ..............16\n   FINDING NO. 4 ........................................................................................................16\n   RECOMMENDATION NO. 8 ....................................................................................17\n   RECOMMENDATION NO. 9 ....................................................................................18\n   RECOMMENDATION NO. 10 ..................................................................................18\n   CHAPTER 5 .............................................................................................................19\n   FURTHER ACTIONS NEEDED TO COMPLY WITH FEDERALLY MANDATED\n   SECURITY REQUIREMENTS..................................................................................19\n   FINDING NO. 5 ........................................................................................................19\n   RECOMMENDATION NO. 11 ..................................................................................20\n   RECOMMENDATION NO. 12 ..................................................................................20\n   EXHIBIT A \xe2\x80\x93 NASS RESPONSE TO THE DRAFT REPORT ..................................21\nABBREVIATIONS........................................................................................................26\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                                                              Page v\n\x0c                           INTRODUCTION\n\n                                      Information security is critical for any\n       BACKGROUND                     organization that depends on information\n                                      systems and computer networks to carry out\n                                      its mission or business. Computer security\n         risks are significant, and they are growing. The dramatic expansion in\n         computer interconnectivity and the exponential increase in the use of the\n         Internet are changing the way our Government, the nation, and much of\n         the world communicate and conduct business. However, without proper\n         safeguards, these developments pose enormous risks that make it easier\n         for individuals and groups with malicious intentions to intrude into\n         inadequately protected systems and use such access to obtain sensitive\n         information, commit fraud, disrupt operations, or launch attacks against\n         other organizations\xe2\x80\x99 sites. This environment poses a threat to the\n         sensitive and critical operations of the National Agricultural Statistics\n         Service (NASS).\n\n          NASS administers the U.S. Department of Agriculture\xe2\x80\x99s (USDA) program\n          of collecting, compiling, and disseminating current national, State, and\n          county agricultural statistics. NASS\xe2\x80\x99 primary activities are the collection,\n          summarization, and analysis of data for publication of accurate and\n          reliable agricultural forecasts and estimates. Statistical data developed by\n          NASS on the nation\xe2\x80\x99s agriculture are essential for the orderly development\n          of production and marketing decisions by farmers, ranchers, and\n          agribusiness. This data is also used for defining and carrying out\n          agricultural policy related to farm program legislation, commodity\n          programs, agricultural research, rural development, and related activities.\n\n          NASS issues the official agricultural production and marketing estimates\n          relating to (1) the number of farms and land in farms, acreage, yield and\n          production of grains, grain stocks, hay, oilseeds, cotton, some fruits and\n          vegetables, floriculture and other specialty crops; (2) inventories and\n          production of hogs, cattle, sheep and wool, catfish, trout, poultry, eggs,\n          dairy products; (3) prices received by farmers; (4) prices paid by farmers\n          for inputs and services, cold storage stocks, agricultural labor and wage\n          rates; and (5) other agricultural subjects. Information for the official\n          estimates is gathered from many sources, using a variety of means.\n\n          The information is entered through NASS\xe2\x80\x99 network of Local Area\n          Networks, and uploaded through data communications to a mainframe\n          computer where data files are stored and processed. Data from the\n\nUSDA/OIG-A/26099-2-FM                                                         Page 1\n\x0c                   surveys are edited on the mainframe computer, or are edited and\n                   summarized on personal computers at the State Statistical Offices\xe2\x80\x99 (SSO).\n                   The SSO\xe2\x80\x99s also transmit computer data containing survey indicators and\n                   recommended estimates to Headquarters using data communications.\n                   Corn, cotton, soybeans, sweet oranges, winter wheat, and other spring\n                   wheat have been designated as \xe2\x80\x9cspeculative\xe2\x80\x9d commodities. Data for\n                   these commodities are encrypted and handled under special security\n                   procedures in the \xe2\x80\x9clockup\xe2\x80\x9d facility, where the official statistical estimates\n                   are generated, because of the sensitivity of the data and its potential\n                   impact on the futures market prices of the commodities involved. For\n                   \xe2\x80\x9cnon-speculative\xe2\x80\x9d commodities that have been classified as sensitive, data\n                   communications are not encrypted and the estimates are finalized before\n                   the \xe2\x80\x9clockup.\xe2\x80\x9d\n\n                   In May 2001, we issued our report on the security over NASS\xe2\x80\x99 information\n                   technology (IT) resources.1 That audit was initiated as a part of a\n                   nationwide audit of IT security within the Department. We reported that\n                   NASS\xe2\x80\x99 network was vulnerable to the threat of internal and external\n                   intrusion, was not in compliance with federally mandated requirements for\n                   managing its IT resources, and had not ensured that only authorized users\n                   had access to its network resources. We recommended that NASS\n                   periodically scan its network for vulnerabilities, ensure compliance with\n                   federally mandated security requirements, and ensure that only authorized\n                   users had access to its network. NASS agreed with our recommendations\n                   and immediately took action toward correcting the identified weaknesses.\n\n                   Toward the end of that review, two NASS employees contacted the Office\n                   of Inspector General (OIG) whistleblower hotline and reported the\n                   existence of weaknesses in the NASS network. We contacted the two\n                   employees to determine the nature of the weaknesses; however, at that\n                   time they refused to discuss the specifics surrounding their concerns at\n                   the advice of their legal council.\n\n                   Since that review, the two NASS employees said they received, through\n                   the U.S. Postal Service mail, a series of e-mails containing racially\n                   derogatory statements and citing backdoors in the NASS\xe2\x80\x99 firewall\n                   configuration, and the existence of \xe2\x80\x98special user\xe2\x80\x99 accounts and \xe2\x80\x98corporate\n                   friends.\xe2\x80\x99 In November 2001, NASS officials requested that OIG conduct a\n                   review to ascertain whether the alleged security breaches existed.\n\n                                                           The objectives of this audit were to (1) verify\n               OBJECTIVES                                  whether e-mails that contained racially\n                                                           derogatory comments and allegations of\n\n1\n Audit Report No. 26099-1-FM, \xe2\x80\x9cSecurity Over Information Technology Resources at the National Agricultural Statistics Service,\xe2\x80\x9d\ndated May 14, 2001.\n\nUSDA/OIG-A/26099-2-FM                                                                                               Page 2\n\x0c          security weaknesses in the NASS network had been prepared by NASS\n          employees using the agency\xe2\x80\x99s e-mail system; (2) whether the security\n          breaches alleged by those e-mails actually occurred; (3) follow up on the\n          agency\xe2\x80\x99s progress in correcting the audit findings from our prior NASS IT\n          audit; (4) determine the adequacy of security over the Local and Wide\n          Area Networks; (5) determine if adequate logical and physical access\n          controls exist to protect computer resources against unauthorized\n          modification, disclosure, loss, or impairment; and (6) address any NASS\n          management concerns.\n\n                                       We restored and reviewed the contents of\n            SCOPE                      selected NASS network server backup tapes\n                                       within the October 1998 through December\n                                       1999 timeframe containing e-mail databases\n          and user e-mail archives. We reviewed NASS\xe2\x80\x99 progress in implementing\n          the recommendations made in our prior report. We also tested the NASS\n          computer network to identify vulnerabilities that could enable unauthorized\n          users to access sensitive data stored on or transmitted over NASS\xe2\x80\x99\n          systems. We conducted our assessment at the NASS headquarters in\n          Washington, D.C. We used commercial software applications to assist us\n          in our security reviews of numerous NASS network components.\n\n          The audit was conducted in accordance with \xe2\x80\x9cGovernment Auditing\n          Standards.\xe2\x80\x9d Our testing was performed during January and February\n          2002.\n\n                                      To accomplish our audit objectives, we\n       METHODOLOGY                    performed the following procedures:\n\n\n          \xe2\x80\xa2   We restored and reviewed e-mail databases and user archives from\n              NASS backup tapes to ascertain whether NASS employees prepared\n              and sent certain e-mails using its e-mail system.\n\n          \xe2\x80\xa2   We reviewed the firewall and router configurations to determine\n              whether adequate security measures had been implemented by NASS\n              to protect its IT resources.\n\n          \xe2\x80\xa2   We interviewed the two NASS employees that had called the OIG\n              whistleblower hotline to obtain an understanding of their concerns\n              regarding the security over NASS\xe2\x80\x99 IT network environment.\n\n\n          \xe2\x80\xa2   We interviewed the current NASS employees named in the e-mails to\n              determine whether they prepared or received those e-mails, or if they\n              had any information relating to the allegations cited in those e-mails\n\nUSDA/OIG-A/26099-2-FM                                                        Page 3\n\x0c              regarding security breaches within the NASS network.\n\n          \xe2\x80\xa2   We reviewed IT security policies and procedures issued by Office of\n              Management and Budget (OMB), the Department, and NASS, to\n              ensure NASS\xe2\x80\x99 compliance with existing IT security requirements.\n\n          \xe2\x80\xa2   We performed detailed testing of NASS\xe2\x80\x99 entity-wide security program,\n              analyzed logical access controls at the NASS headquarters, and by\n              analyzing records and controls established to ensure that the security\n              of the NASS\xe2\x80\x99 computer systems were sufficient and that controls were\n              functioning as intended.\n\n          \xe2\x80\xa2   We interviewed NASS officials responsible for managing the agency\xe2\x80\x99s\n              computer systems to obtain an understanding of the management of\n              its IT resources.\n\n          \xe2\x80\xa2   We conducted vulnerability scans of the systems located in the NASS\n              headquarters\xe2\x80\x99 network to assess the threat of network penetration.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                       Page 4\n\x0c           FINDINGS AND RECOMMENDATIONS\n\n\nCHAPTER 1         MISUSE OF NASS IT RESOURCES COULD NOT BE\n                  SUBSTANTIATED\n\n\n                                       We initiated our review at the request of NASS\n        FINDING NO. 1                  management to (1) verify whether its\n                                       employees had used its e-mail system to\n                                       prepare and send three sets of e-mails, which\n                                       contained racially derogatory language and\n           alleged security breaches within NASS\xe2\x80\x99 network; and (2) verify whether\n           the security breaches alleged in those e-mails actually occurred. Those e-\n           mails were brought to the attention of NASS management after two\n           current NASS employees said they received them in hard copy through\n           the U.S. Postal Service. NASS management immediately requested that\n           we conduct a review to determine whether the e-mails and the security\n           breaches alleged in those e-mails were legitimate.\n\n           With the assistance of NASS staff, we restored selected backup tapes\n           dated October 30, 1998; November 27, 1998; April 30, 1999; May 28,\n           1999; and one set containing December 2000 archives. However, not all\n           the backup tapes from the time period of the e-mails existed and were not\n           available for our review. NASS had only a 13-month retention policy for\n           backup tapes; therefore, NASS employees took older tapes and reused\n           them as needed. Those tapes we chose to restore contained NASS\xe2\x80\x99 e-\n           mail database or user-archived e-mails that should have provided us the\n           ability to determine whether the e-mails, dated October 1998, April 1999,\n           and December 1999, were present in the existing NASS backup tapes.\n           We also conducted a review of the e-mail archives of a former NASS\n           employee that were provided to us by the two current NASS employees\n           who said that they received the questioned e-mails. Our review efforts\n           consisted not only of searching for the exact e-mails, but also searching\n           for the existence of approximately 20 key words and phrases. Searching\n           for these words and phrases would indicate the additional use of racially\n           derogatory language, or the existence of additional security breaches\n           similar to those alleged in the e-mails such as \xe2\x80\x98back doors\xe2\x80\x99 in the firewall,\n           \xe2\x80\x98special user\xe2\x80\x99 accounts, or the existence of \xe2\x80\x98corporate friends.\xe2\x80\x99\n\n           We also interviewed the two NASS employees who said they received the\n           hard copy e-mails through the U.S. Postal Service. They discussed with\n\nUSDA/OIG-A/26099-2-FM                                                           Page 5\n\x0c          us their concerns over the security of NASS network resources, which we\n          have addressed elsewhere in this report; however, they informed us that\n          they had no knowledge of the specific security breaches alleged in the e-\n          mails. We contacted these two employees prior to the issuance of our\n          previous audit after they had contacted our whistleblower hotline. At that\n          time, and at the advice of their legal council, they refused to provide us\n          specifics of their concerns over the security of NASS\xe2\x80\x99 network.\n\n          We also interviewed the current NASS employees that were named in the\n          e-mails. Each of the employees individually stated that they had not seen,\n          received, or written the e-mails.         Further, the employees had no\n          knowledge of any \xe2\x80\x98back door\xe2\x80\x99 in the NASS firewall, \xe2\x80\x98special user\xe2\x80\x99 accounts,\n          or \xe2\x80\x98corporate friends,\xe2\x80\x99 as alleged in the e-mails.\n\n          In conclusion, the backup tapes we reviewed did not contain the\n          questioned e-mails. Because only a limited number of backup tapes\n          existed, we cannot say with certainty whether or not the e-mails actually\n          originated from the NASS e-mail system. However, nothing came to our\n          attention during our review that indicated that the e-mails had been\n          initiated using the NASS e-mail system, that additional e-mails containing\n          racially derogatory comments existed, that the security breaches alleged\n          in those e-mails had occurred, or that any NASS data had been misused.\n          Finally, while we did identify material weaknesses in the administration of\n          NASS network, nothing came to our attention during our review that\n          indicated that NASS or its employees used those weaknesses for\n          personal gain.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                        Page 6\n\x0c                               VULNERABILITIES COULD EXPOSE NASS SYSTEMS\nCHAPTER 2                      TO THE RISK OF MALICIOUS ATTACKS FROM\n                               INTERNAL AND EXTERNAL THREATS\n\n\n                                                Our vulnerability scans of selected NASS\n               FINDING NO. 2                    network devices disclosed vulnerabilities that\n                                                could be exploited from within NASS\xe2\x80\x99 network,\n                                                and some that can be exploited externally.\n                                                NASS had taken actions to implement the\n                  recommendations we made in our prior audit report by acquiring one of\n                  the vulnerability assessment tools that was used during our audit;\n                  however, NASS just began to use the tool prior to our audit and had not\n                  fully implemented the use of the tool in its efforts to identify and eliminate\n                  security vulnerabilities within its systems. NASS has begun to correct the\n                  vulnerabilities we identified; however, until it completes its own scanning\n                  process, NASS\xe2\x80\x99 systems and networks could be vulnerable to cyber-\n                  related attacks.\n\n                     The OMB Circular A-130 requires agencies to assess the vulnerability of\n                     information system assets, identify threats, quantify the potential losses\n                     from threat realization, and develop countermeasures to eliminate or\n                     reduce the threat or amount of potential loss.\n\n                     We conducted our assessment of selected NASS network components in\n                     January and February 2002. We utilized two commercial off-the-shelf\n                     software products, one designed to identify over 1,000 vulnerabilities\n                     associated with various operating systems that use Transmission Control\n                     Protocol/Internet Protocol (TCP/IP);2 and the other, which tests system\n                     settings in Novell networks.\n\n                     TCP/IP System Vulnerabilities\n\n                     We conducted our vulnerability scans at NASS\xe2\x80\x99 Washington, D.C. offices.\n                     These scans included 46 NASS network components. Our assessments\n                     revealed 92 high and medium-risk vulnerabilities.3 In addition, we\n                     identified 139 low-risk vulnerabilities.          The high and medium\n                     vulnerabilities, if left uncorrected, could allow unauthorized users access\n                     to NASS data. While NASS took corrective action to eliminate the\n2\n  The TCP/IP is a series of protocols originally developed for use by the U.S. Military and now used on the Internet as the primary\nstandard for the movement of data on multiple, diverse platforms, such as Windows NT and UNIX.\n3\n  High-risk vulnerabilities are those that provide access to the computer, and possibly the network of computers. Medium-risk\nvulnerabilities are those that provide access to sensitive network data that may lead to the exploitation of higher risk vulnerabilities.\nLow-risk vulnerabilities are those that provide access to sensitive, but less significant network data.\n\nUSDA/OIG-A/26099-2-FM                                                                                                        Page 7\n\x0c          vulnerabilities we identified in our last review, many of the high and\n          medium-risk vulnerabilities we identified in this review were on systems\n          that we had not previously scanned or on systems that NASS had placed\n          into production since our prior review. Further, since our prior review, the\n          software tool we used had been updated to identify an additional 200\n          vulnerabilities that had not been known to exist during our prior review.\n          NASS recently purchased the same vulnerability scanning tool that we\n          used and had just begun to integrate it into its overall security\n          management process at the time of our review. To fully benefit from this\n          tool, NASS needs to implement written policies to scan and mitigate the\n          identified vulnerabilities.\n\n          In addition to our review, NASS contracted with a private-sector firm to\n          review its network security and its remote access policy. That contractor\n          was able to successfully compromise NASS\xe2\x80\x99 network using a well-known\n          vulnerability that existed on one of its systems. The contractor made\n          several recommendations to strengthen NASS\xe2\x80\x99 network security and\n          remote access policies. NASS agreed with those recommendations and\n          has begun to address them.\n\n          Detailed below are examples of the high-risk vulnerabilities revealed\n          during our scans of the NASS systems:\n\n          \xe2\x80\xa2   A commonly used program to transfer electronic mail contains a\n              vulnerability that could allow an attacker to gain complete\n              administrative privileges of the system. Once this administrative\n              privilege is established, an attacker could obtain, modify or destroy\n              NASS data.\n\n          \xe2\x80\xa2   Two commonly used programs used to transfer files and perform\n              remote administration were configured with default passwords. An\n              attacker could use these programs to install and execute malicious\n              software on this system that could affect other systems within the\n              network.\n\n          We also conducted our scans through the firewall established by NASS as\n          protection     between      NASS\xe2\x80\x99    systems     and    the   departmental\n          telecommunications network. Through the firewall, we identified 16 high\n          and medium-risk vulnerabilities and 8 low vulnerabilities.           These\n          vulnerabilities may be exploitable by malicious users outside the NASS\n          network, including the global Internet.        Finally, in addition to the\n          vulnerabilities identified by our scans, we found weak user passwords on\n          several of NASS\xe2\x80\x99 systems.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                         Page 8\n\x0c          Novell System Policies\n\n          We conducted a detailed assessment of the security of NASS\xe2\x80\x99 Novell\n          network at its headquarters office. Our assessment software allowed us\n          to compare NASS\xe2\x80\x99 established security practices to the actual settings on\n          the Novell systems. We also compared the system\xe2\x80\x99s security settings to\n          the software product\xe2\x80\x99s \xe2\x80\x9cbest practices settings,\xe2\x80\x9d which are based on\n          standard practices from a wide variety of government and private\n          institutions. The software product reports weaknesses that may leave the\n          system open to potential threats in the following areas (1) account\n          restrictions, (2) password strength, (3) access control, (4) system\n          monitoring, (5) data integrity, and (6) data confidentiality.\n\n          Our assessments disclosed that NASS had corrected several vulnerable\n          areas in its Novell network since our prior audit, including removing\n          administrative authorities of those users that no longer needed them, and\n          increasing user account password strength requirements. However,\n          weaknesses in account restrictions and access controls still exist because\n          NASS was still in the process of fully implementing our prior audit\n          recommendations. These two areas define a user\xe2\x80\x99s ability to access the\n          system. NASS does not have a vulnerability assessment tool for its Novell\n          networks, but officials expressed the need to obtain an assessment tool\n          similar to the one we used. Some of the weaknesses we found included:\n\n          \xe2\x80\xa2   User accounts were hidden from the system administrator. Because\n              they are hidden, these accounts may not be subject to the same type\n              of review as other accounts and may not be timely removed when no\n              longer needed. Hidden accounts should not be used as they provide\n              an additional means for unauthorized and potentially unmonitored\n              access to the network. This vulnerability is nearly impossible to\n              identify without the assistance of an analysis tool similar to the one we\n              used.\n\n          \xe2\x80\xa2   An excessive number of accounts had not been accessed within 90\n              days. We identified 168 of these accounts, 97 of which had not been\n              disabled by the systems administrator. User accounts that become\n              inactive, but not disabled, provide opportunities for unauthorized users\n              to gain access to the network. An attacker can try different passwords\n              on these inactive accounts and attempt to gain access to the network.\n              Once that access is gained, unauthorized activity cannot be traced to\n              the responsible person.\n\n          We provided NASS officials with the vulnerability assessment reports.\n          NASS officials informed us that they had begun addressing the\n          vulnerabilities.\n\nUSDA/OIG-A/26099-2-FM                                                          Page 9\n\x0c                                      Ensure corrective actions are taken on all high\n  RECOMMENDATION NO. 1                and medium-risk vulnerabilities identified on\n                                      the assessment reports provided to NASS\n                                      officials.\n\n          Agency Response\n\n          NASS agreed that the vulnerabilities found during the audit pose a\n          potential threat to its network. NASS prioritized the vulnerabilities and\n          concentrated on those that were present outside, or external, to its\n          network. NASS had already mitigated nearly all of the vulnerabilities\n          exploitable from outside its network and many of those that were\n          exploitable from within its network. NASS will make every attempt to\n          mitigate the remaining high and medium-risk vulnerabilities by April 19,\n          2002, and low-risk vulnerabilities by May 10, 2002. NASS will provide\n          follow up notification to the Chief Financial Officer and Office of the Chief\n          Information Officer if it fails to successfully mitigate all high and medium-\n          risk vulnerabilities by April 19, 2002.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n                                      Implement a written policy to periodically\n  RECOMMENDATION NO. 2                conduct vulnerability scans on all network\n                                      resources, and ensure that the vulnerabilities\n                                      identified are timely mitigated.\n\n          Agency Response\n\n          NASS understand the importance of conducting periodic vulnerability\n          assessments. NASS participated in the Department\xe2\x80\x99s acquisition of\n          vulnerability assessment software in October 2001. NASS plans to\n          complete training in this software\xe2\x80\x99s usage as soon as possible with the\n          intention of beginning network scans during the spring of 2002. NASS has\n          prepared a Security Policy Directive requiring scans of the NASS network\n          on a monthly basis and directs staff to mitigate all high and medium-risk\n          vulnerabilities within two weeks.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                         Page 10\n\x0c                                     Ensure corrective action is taken on all the\n  RECOMMENDATION NO. 3               vulnerabilities identified in NASS\xe2\x80\x99 Novell\n                                     operating system, especially those pertaining\n                                     to account restrictions and access controls.\n\n          Agency Response\n\n          NASS has reviewed the user accounts which have not been accessed for\n          90 days or more. NASS has deleted 32 of these accounts and disabled\n          an additional 61 totaling 93 of the 97 accounts that had not been accessed\n          for 90 days or more. The remaining four accounts are tied to application\n          software systems and need to be present when problems are\n          encountered. The disabled accounts will be evaluated during April 2002,\n          to determine if they can be permanently deleted from the system.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n                                     Obtain the software and implement a policy to\n  RECOMMENDATION NO. 4               periodically scan its Novell systems to identify\n                                     configuration weaknesses in that operating\n                                     system.\n\n          Agency Response\n\n          NASS is currently obtaining prices for a software tool that will allow the\n          agency to perform assessments of our Novell servers. The assessment\n          software will be acquired by NASS in April 2002.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                       Page 11\n\x0c                  NASS NEEDS TO STRENGTHEN ADMINISTRATION\nCHAPTER 3         OF ITS FIREWALL AND IMPROVE REMOTE ACCESS\n                  PROCEDURES\n\n\n                                         NASS needs to strengthen its firewall\n        FINDING NO. 3                    administration and increase security over\n                                         remote access to its network resources. Due\n                                         to other priorities placed on its security staff,\n                                         NASS does not have controls in place to keep\n           its firewall configuration current by periodically reviewing and modifying its\n           firewall rules, and has not ensured that the firewall administrator receives\n           proper training in its configuration. In addition, NASS\xe2\x80\x99 current remote\n           access policy reduces the effectiveness of its firewall and its other security\n           measures by allowing unauthenticated access through its firewall. This\n           and the effects of the weak logical access controls we identified in Finding\n           No. 4, places NASS\xe2\x80\x99 network at risk of compromise.\n\n           The OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\n           Information Resources,\xe2\x80\x9d established a minimum set of controls for\n           agencies\xe2\x80\x99 automated information security programs.     Agencies are\n           required to establish controls to assure adequate security for all\n           information processed, transmitted, or stored.\n\n           Firewall Configuration\n\n           Our review found that NASS has not established controls to periodically\n           review its firewall configurations to ensure that they are kept current and\n           that user accounts on the firewall system are kept to a minimum and are\n           properly disabled or removed when not needed. On one of its firewalls,\n           we found that the NASS security staff overlooked generic system user\n           accounts that had not been properly disabled. Further, we found that a\n           former employee responsible for administering the firewall, who resigned\n           in December 2001, still had a user account on the firewall system. We\n           later confirmed that this former employee\xe2\x80\x99s account had been disabled;\n           however, it should have been removed. In addition, we identified firewall\n           rules that allowed specific Internet Protocol (IP) addresses access to the\n           firewall.   These IP addresses were needed when one of NASS\xe2\x80\x99\n           employees, located in a remote office, was assisting in the configuration of\n           the firewall over two years ago. That employee is no longer with NASS;\n           therefore, those IP addresses should have been removed from those\n           rules. We consider this a material weakness.\n\n\nUSDA/OIG-A/26099-2-FM                                                            Page 12\n\x0c          We also found that NASS had provided its security staff with only limited\n          training on the proper configuration of its firewalls. While the security staff\n          were the only ones allowed to enter or change firewall rules, they relied\n          heavily on the NASS technical staff for guidance on what rules should be\n          entered and how to enter them. Without proper training, the security staff\n          was not sufficiently knowledgeable about firewall configurations to\n          question the legitimacy or appropriateness of the rules being entered.\n\n          Remote Access\n\n          NASS has adopted a flexible workplace policy that allows its employees to\n          work from their homes on a limited basis. Some of the employees have\n          acquired high-speed Internet access for their homes providing them with\n          faster and more efficient access to the NASS network than the older dial-\n          up connections. To facilitate this, NASS configured its firewall to allow its\n          employees to gain access to its network using two commercially available\n          remote access software packages. This configuration circumvents one\n          additional layer of authentication normally required of remote users that\n          connect to NASS\xe2\x80\x99 network using its dial-in access server. NASS users still\n          need to provide user identification and a password for the remote access\n          software, along with an additional password for their network login.\n          However this configuration allows anyone with these two programs to\n          scan NASS\xe2\x80\x99 network attempting to connect to its systems, providing an\n          opportunity to try guessing user names and passwords to gain entry.\n          While NASS has provided its users with remote access software setup\n          instructions that require passwords and the encryption of the data\n          transmitted, NASS does not have any control over how the users\n          ultimately decide to establish their connections. We consider this a\n          material weakness.\n\n          NASS should implement a virtual private network (VPN) solution and\n          require smart card or token authentication for those sessions. Users\n          would have to provide a user name, password, and an un-shareable token\n          before access through the firewall could be granted. Further, through the\n          use of a VPN, NASS could be assured that the data transmitted over the\n          Internet would be encrypted, preventing unauthorized disclosure of any\n          sensitive data transmitted. Finally, NASS would have more control over\n          how this environment is configured and could control who has the\n          authority to use the remote access software to gain entry into the NASS\n          network.\n\n          We discussed these issues with NASS management. They have agreed\n          with our position and have begun procuring a smart card or token\n          authorization system to implement with a VPN solution.\n\n\n\nUSDA/OIG-A/26099-2-FM                                                           Page 13\n\x0c                                     Develop and implement a policy to periodically\n  RECOMMENDATION NO. 5               review the firewall configuration and remove or\n                                     modify firewall rules as necessary.\n\n\n          Agency Response\n\n          NASS has acquired new enterprise firewalls which are compatible with the\n          Department\xe2\x80\x99s firewall solution. NASS has taken steps to reduce the\n          number of individual firewall rules which directly reduces the work\n          associated with firewall management. NASS will be reviewing all firewall\n          rules as the implementation of the new firewalls proceeds and will\n          eliminate unnecessary rules at that time. NASS plans to have the new\n          firewalls operational in May 2002.\n\n          A Security Policy Directive has been approved which documents firewall\n          configuration and management. This directive discusses the process for\n          adding, deleting and modifying firewall rules. It also addresses the issue\n          of periodically reviewing the firewall rules which have been implemented.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n                                     Implement a VPN solution with smart card or\n  RECOMMENDATION NO. 6               token authentication and strong encryption for\n                                     remote access to the internal NASS network.\n\n\n          Agency Response\n\n          NASS contracted with a private-sector firm, who along with OIG,\n          recommended NASS implement advanced authentication measures for\n          remote access. NASS has taken the first step in this process with the\n          acquisition and implementation of modern firewall technology. NASS\n          plans to implement a system providing advanced authentication for remote\n          access following the implementation and testing of the new firewalls. The\n          implementation of an advanced authentication system is expected to\n          begin in July 2002.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                      Page 14\n\x0c                                       Ensure that NASS\xe2\x80\x99 security staff is properly\n  RECOMMENDATION NO. 7                 trained to configure and maintain the firewall\n                                       rule base to ensure the appropriateness of\n                                       firewall rules.\n\n          Agency Response\n\n          NASS included a training requirement, as well as assistance with\n          configuration and implementation of the new firewalls, as part of the recent\n          firewall acquisition. This training will ensure that the security staff is well\n          versed in firewall management and the generation and modification of\n          rules. As stated in its response to Recommendation No. 5, NASS plans to\n          have the new firewalls operational in May 2002.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                           Page 15\n\x0cCHAPTER 4                    NASS NEEDS TO STRENGTHEN ITS LOGICAL\n                             ACCESS CONTROLS\n\n\n                                             NASS did not ensure that only authorized\n              FINDING NO. 4                  users had access to its network. NASS had\n                                             not implemented adequate written procedures\n                                             to ensure that it timely removed user accounts\n                                             for those persons that left NASS employment,\n                 and had accepted the risk posed by the use of generic user accounts on\n                 its network. As a result, persons no longer employed at NASS or anyone\n                 with knowledge of the generic user identifications (ID) could\n                 inappropriately access and potentially destroy critical NASS data.\n\n                   Department Manual 3140-1.6, ADP Security Manual, (part 6 of 8), Appendix\n                   D, Section 4a, requires agencies to use individual user IDs and passwords to\n                   control access to systems processing personnel, financial, market-related, or\n                   other sensitive data. Section 6c, specifically prohibits issuance of group\n                   logon IDs and passwords and prohibits the sharing of the same. Section 6c\n                   also requires security staff to remove employee user ids and passwords\n                   when the employee is no longer with the agency.\n\n                   In our prior report of IT security at NASS,4 we found that NASS had 3 user\n                   accounts on its network that belonged to persons no longer employed by\n                   NASS, and 150 generic user accounts that could have been used by several\n                   persons. We recommended that NASS reduce the number of generic user\n                   accounts, disable those that are not in use, and ensure that the privileges of\n                   those accounts are not excessive. While NASS disabled 54 of the 150\n                   generic user accounts we identified, NASS chose to accept the risk that\n                   these generic user accounts pose in order to provide its staff easier\n                   administration of accounts that are used only temporarily by any one person.\n\n                   Generic accounts do not provide for individual responsibility and make it\n                   impossible for system administrators to track the actions of the users of\n                   those accounts in the event that inappropriate or malicious actions are taken.\n                   Further, the existence of generic user accounts provides additional accounts\n                   that a malicious user could use to gain unauthorized access to network\n                   resources and data.\n\n                   In our current review, we found that NASS had not removed the user\n                   accounts for six persons no longer employed by NASS, five of which had\n\n4\n Audit Report No. 26099-1-FM, \xe2\x80\x9cSecurity Over Information Technology Resources at the National Agricultural Statistics Service,\xe2\x80\x9d\ndated May 14, 2001.\n\nUSDA/OIG-A/26099-2-FM                                                                                             Page 16\n\x0c          not been disabled. NASS needs to establish a formal reconciliation\n          process to ensure that separated employees are timely removed from its\n          network. In addition, we found 228 generic user accounts, which\n          represented over 38 percent of the total number of user accounts on\n          NASS\xe2\x80\x99 headquarters network. We consider this a material weakness.\n\n          NASS officials informed us that they use a majority of these generic\n          accounts for people needing access to the network on a rotating basis,\n          eliminating the need for NASS network administrators to delete and\n          recreate a user account every time one is needed. However, due to the\n          sensitive nature of the data that NASS maintains, we believe that it should\n          discontinue the use of shared, generic user accounts, and create user\n          accounts when needed that provide for individual responsibility.\n\n                                      Establish and implement procedures to ensure\n  RECOMMENDATION NO. 8                that separated employee\xe2\x80\x99s user accounts are\n                                      timely removed from the NASS network.\n\n          Agency Response\n\n          NASS attempts to disable separated user accounts in a timely manner.\n          There are occasions when user accounts are left active, for example,\n          managers may need to move files to a new employee now responsible for\n          a recently separated employee\xe2\x80\x99s activities. NASS distributes personnel\n          summaries which provide information concerning employees that are\n          recently hired, separated, and transferred. The security staff will be added\n          to the distribution list for this summary in April 2002. Additionally, the\n          security staff will ask NASS\xe2\x80\x99 personnel office for a listing of all separated\n          and transferred employees on a quarterly basis beginning in April 2002.\n          This should ensure that NASS remains current in disabling accounts for\n          those employees who no longer require access to the network.\n\n          OIG Position\n\n          We agree with NASS\xe2\x80\x99 proposed actions.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                         Page 17\n\x0c                                  Establish and implement procedures to\n  RECOMMENDATION NO. 9            periodically reconcile user accounts on the\n                                  NASS networks to current employee listings,\n                                  and take immediate action to remove those\n        accounts no longer needed.\n\n           Agency Response\n\n           NASS security staff will ask the personnel office for a listing of current\n           employees on a quarterly basis beginning in April 2002. This listing will be\n           used to reconcile current employees with current network user accounts.\n\n           OIG Position\n\n           We agree with NASS\xe2\x80\x99 proposed actions.\n\n                                       Discontinue the use of all generic user\n RECOMMENDATION NO. 10                 accounts on the NASS network. Establish\n                                       accounts on an as-needed basis and assign\n                                       individual responsibility to those accounts.\n\n           Agency Response\n\n           NASS agrees there is a degree of risk associated with allowing generic\n           user accounts. NASS has disabled an additional 32 of these generic user\n           accounts and deleted another 20. NASS is in the process of switching\n           from generic user accounts to specific individual accounts for infrequent\n           users. NASS plans to be totally switched from generic user accounts to\n           individual accounts by September 30, 2002.\n\n           OIG Position\n\n           We accept the management decision on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                                         Page 18\n\x0c                  FURTHER ACTIONS NEEDED TO COMPLY WITH\nCHAPTER 5         FEDERALLY MANDATED SECURITY\n                  REQUIREMENTS\n\n\n                                      As reported in our prior audit, NASS has not\n        FINDING NO. 5                 completed all the necessary risk assessments\n                                      of its systems, adequately planned for network\n                                      and system contingencies, or properly certified\n                                      to the security of its major systems. NASS\n           has begun and continues to take the necessary actions toward\n           compliance. Since NASS relies on its IT infrastructure to supply market-\n           sensitive data on commodities to the agricultural economy, it needs to\n           promptly complete its planned actions to ensure compliance with these\n           federally mandated requirements.\n\n           OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federally Automated\n           Information Resources,\xe2\x80\x9d established a minimum set of controls for\n           agencies\xe2\x80\x99 automated information security programs, including certifying to\n           the security of any systems that maintain sensitive data, establishing\n           contingency plans and recovery procedures in the event of a disaster, and\n           establishing a comprehensive security plan. Further, Presidential Decision\n           Directive (PDD) 63, \xe2\x80\x9cPolicy on Critical Infrastructure Protection,\xe2\x80\x9d requires\n           agencies to assess the risks to their networks and establish a plan to\n           mitigate the identified risks. Finally, the Government Performance and\n           Results Act (GPRA) of 1993 requires agencies to establish annual\n           performance plans and measurable performance goals relating to its\n           operations.\n\n           In our prior audit, we reported that NASS\xe2\x80\x99 security plan did not include all\n           the required elements outlined in OMB Circular A-130, that it had not\n           completed risk assessments for all of its major systems, had not properly\n           planned for contingencies by establishing a comprehensive disaster\n           recovery plan, or properly certified to the security controls in its major\n           systems.      We recommended that NASS take actions to ensure\n           compliance with these requirements including implementing a time-phased\n           plan to correct the deficiencies. NASS agreed with our recommendations\n           and agreed to complete its compliance with these requirements by August\n           2001. While NASS missed that timeframe, our review showed that it\n           continues to take the necessary steps toward compliance. At the time of\n           our review, NASS had updated its security plan; completed risk\n           assessments for 2 of its systems, its network and 1 of the 10 systems\n\n\nUSDA/OIG-A/26099-2-FM                                                         Page 19\n\x0c          identified in its security plan; and designed disaster recovery procedures\n          for its field and headquarters offices.\n\n          Since NASS is in the process of complying with these federally mandated\n          requirements and the recommendations we made in our prior report, we\n          are making no further recommendations on these issues in this report.\n          However, until such time that NASS has completed compliance with these\n          requirements, NASS needs to include this material weakness, and those\n          addressed elsewhere in this report, in its Federal Manager\xe2\x80\x99s Financial\n          Integrity Act (FMFIA) report. Further, we believe that these weaknesses\n          require NASS to establish measurable performance goals relating to\n          securing its IT resources in its GPRA report.\n\n                                     Report the material control weaknesses\n RECOMMENDATION NO. 11               identified in this report, including the\n                                     noncompliance with OMB Circular A-130 and\n                                     PDD 63 in its FMFIA report.\n\n          Agency Response\n\n          NASS is attempting to comply with the requirements of OMB Circular A-\n          130. NASS spent a great deal of time during fiscal year 2001 trying to get\n          the security plan in compliance with OMB Circular A-130 and PDD 63.\n          Until compliant, NASS will report this material control weakness in it\n          annual FMFIA report.\n\n          OIG Position\n\n          We accept the management decision on this recommendation.\n\n                                     Establish performance goals and measures\n RECOMMENDATION NO. 12               relating to IT security in its GPRA report.\n\n\n\n          Agency Response\n\n          NASS is in the process of developing the agency\xe2\x80\x99s fiscal year 2003 Annual\n          Performance Plans as required under GPRA. NASS is defining a\n          performance goal and associated measures to be included in this report.\n          NASS will establish it goals and begin to measure its performance in July\n          2002.\n\n          OIG Position\n\n          We agree with NASS\xe2\x80\x99 actions on this recommendation.\n\nUSDA/OIG-A/26099-2-FM                                                      Page 20\n\x0cEXHIBIT A \xe2\x80\x93 NASS RESPONSE TO THE DRAFT REPORT\n\n\n\n\nUSDA/OIG-A/26099-2-FM                           Page 21\n\x0cEXHIBIT A \xe2\x80\x93 NASS RESPONSE TO THE DRAFT REPORT\n\n\n\n\nUSDA/OIG-A/26099-2-FM                           Page 22\n\x0cEXHIBIT A \xe2\x80\x93 NASS RESPONSE TO THE DRAFT REPORT\n\n\n\n\nUSDA/OIG-A/26099-2-FM                           Page 23\n\x0cEXHIBIT A \xe2\x80\x93 NASS RESPONSE TO THE DRAFT REPORT\n\n\n\n\nUSDA/OIG-A/26099-2-FM                           Page 24\n\x0cEXHIBIT A \xe2\x80\x93 NASS RESPONSE TO THE DRAFT REPORT\n\n\n\n\nUSDA/OIG-A/26099-2-FM                           Page 25\n\x0c                          ABBREVIATIONS\n\n\nFMFIA     Federal Managers\xe2\x80\x99 Financial Integrity Act\nGPRA      Government Performance and Results Act\nID        identification\nIP        Internet Protocol\nIT        Information Technology\nNASS      National Agricultural Statistics Service\nOIG       Office of Inspector General\nOMB       Office of Management and Budget\nPDD       Presidential Decision Directive\nSSO       State Statistical Office\nTCP/IP    Transmission Control Protocol/Internet Protocol\nUSDA      U.S. Department of Agriculture\nVPN       Virtual Private Network\n\n\n\n\nUSDA/OIG-A/26099-2-FM                                       Page 26\n\x0cUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\nUSDA/OIG-A/26099-2-FM   Page 26\n\x0c'